Splunk Search

How to add a table column that does operations in each cell based on the values from another column?

Motivator

if I have a search that gives me something like this:

a b c 
1 2 3
4 5 6
7 8 9 

how do I add a column d that would do an operation (row2columnC - row1columnC, row3columnC - row2columnC ... all the way down ) in each cell in column d(jsut want to show the value in column d)

a b c d  
1 2 3 3-0=3
4 5 6 6-3=3
7 8 9 9-6=3

I am thinking it would be ...| eval = ?? or something like this...

Tags (4)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

your search |delta c as difference p=1|fillnull value=0 difference

View solution in original post

Motivator

don't using eval

use the command deltawho working like that:

For each event where field is a number, the `delta command` computes the difference, in search order, between the field value for the event and the field value for the previous event

next try this

your search |delta c as d

SplunkTrust
SplunkTrust

Try something like this

your current search giving fields a,b,c | delta c as d | eval d=coalesce(d,c)

Motivator

what does eval d=coalesce(d,c) do here? I can't seem to see the difference. Or do i need a null value to see it working?

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions

0 Karma

SplunkTrust
SplunkTrust

Try this

your search |delta c as difference p=1|fillnull value=0 difference

View solution in original post

Motivator

all good answers here is a working example:
| makeresults count=3 | streamstats count as a | eval a=a+1 | streamstats count as b | eval b=b+10 | streamstats count as c | eval c=c+11 | delta a as a_dif p=1

0 Karma